Point of viewGovernance

Data sovereignty: your company’s brain shouldn’t live in a US vendor

The company brain, decisions, rules, state, often sensitive data, is becoming memory inside AI tools. Convenient, but that brain is rented: opaque, governed by others, and almost always hosted overseas. For an ordinary company it can be fine. For a regulated sector or sensitive data it isn’t: there, owning it matters. This is the bridge between the company brain and governance, and why data ownership isn’t a technical detail.

Raffaele ZarrelliAI Architect & Founder, Yempik·July 2, 2026·7 min read
In summary
  • A company’s brain, decisions, rules, state, and often sensitive data, is ending up inside the memory of AI tools, almost always from vendors based in the United States.
  • That brain is rented: opaque (you can’t see what it learned), governed by the vendor, and hosted where they decide. Convenient, but not yours.
  • For many companies vendor memory is fine. It becomes a problem for regulated sectors, personal data, and when you must prove what the system knows and where the data lives.
  • The answer isn’t giving up AI, it’s owning the context: files you govern, GDPR compliance, data at rest in the EU, self-hosting where needed.
A rented brain

The AI’s memory is convenient, but it lives in someone else’s house

As AI moves into the work, your company’s context, decisions made, rules, project state, sometimes customers’ personal data, settles into the memory of the tools you use. It’s convenient: the tool "remembers" and starts more informed each time. But that memory isn’t an archive you own. It’s opaque, because you can’t see precisely what it learned; it’s governed by the vendor, who decides how it works and what they do with it; and it’s hosted on their infrastructure, which in the vast majority of cases is based in the United States.

The point isn’t the quality of the product, which is often excellent. The point is where your company’s operating brain ends up and who controls it. Renting an office is one thing; having your most important documents live in a building you don’t hold the keys to, with access rules the landlord changes, is another. As long as everything’s fine you don’t notice. The day a client, an auditor, or a regulator asks you "where is the data and what did the system learn", the answer "I don’t know, it’s inside the vendor" doesn’t hold.

A company brain rented inside a vendor is convenient until you really need it. The day someone asks where the data lives, "it’s in their cloud" isn’t an answer.

When it really matters

For many it’s fine: for some it isn’t, and it’s a serious choice

It isn’t a holy war, and we’re not saying it to sell fear. For a small company, with non-sensitive context and no particular obligations, a serious vendor’s memory is a reasonable choice: convenient, well-kept, and the data is probably better off there than in a scattered chat. If your brain is made of style preferences and project notes, data sovereignty is a theoretical problem, and that’s perfectly fine.

It becomes concrete when the stakes and the rules change. If you operate in a regulated sector, if your company brain contains personal or health data, if a contract or a regulation requires you to know where the data resides and to prove what the system has learned, if you can’t afford the know-how to vanish when you switch tools, then ownership stops being a detail. It isn’t about where to keep notes: it’s about where to keep the company’s brain, with obligations you can’t delegate to a vendor.

What owning it means

Two questions separate those who own the brain from those who rent it

Owning the company brain isn’t a slogan: it’s measured on two axes. The first is where the data lives, inside a vendor’s infrastructure or in a place you control. The second is how it’s governed, automatically and opaquely or explicitly and auditably. The combination of the two tells you who really holds your company’s brain. A vendor’s memory sits in the convenient-but-rented quadrant; context on files you own is the only quadrant you govern.

in the vendoron your files
Transparent but rentedInternal wiki or Notion
Your company braincowork-os and code-os
Rented and opaqueClaude Tag memory
Yours but messyChat with scattered prompts
How it’s governedexplicit · ↓ opaque
Automatic vendor memory is convenient but lives inside the tool and you can’t see it. Context on files (cowork-os and code-os) takes a bit of discipline, but it’s readable, auditable, and stays yours: it’s the only quadrant you own and govern.

This is the same question we put at the center of a dedicated piece: not whether you need a company brain, but who owns it. If you want the full picture, with Claude Tag and memory as a product, who owns the company brain explains it in full.

How you do it

The answer isn’t giving up AI, it’s owning the context

Owning your company brain doesn’t mean going back to paper or saying no to AI: it means keeping the context on files you govern, readable by you and the AI, with data at rest in the EU and self-hosting of the models where the case requires it. It’s exactly the model we build our services on: fixed price, code owned by the client, GDPR compliance, data in Europe. Sovereignty isn’t a constraint that slows you down: it’s what lets you use AI even where the data is sensitive. The why and the practical boundaries are in our piece on AI governance for SMEs.

The technical how is less exotic than it sounds: you start from the same structured company brain files, just kept in a place you control. The practical method, with interviews, structure, and validation, is in how to build a company brain on files.

Frequently asked questions

Data sovereignty, in practice

What does data sovereignty have to do with the company brain?

The company brain is the company’s operating brain: decisions, rules, state, and often sensitive data. When it lives inside an AI tool’s memory, that data is hosted where the vendor decides, almost always outside the EU, and governed by others. Data sovereignty is the question of where that brain resides and who controls it: for regulated sectors and personal data, it isn’t a technical detail.

Is it a problem that my company brain lives in a US vendor?

It depends on the stakes. For a small company with non-sensitive context, a serious vendor’s memory is a reasonable choice. It becomes a problem if you operate in a regulated sector, if the brain contains personal or health data, if a regulation or contract requires you to know where the data resides and what the system has learned, or if you can’t afford to lose the know-how by switching tools.

Does owning the company brain mean giving up AI?

No. It means keeping the context on files you govern, readable by you and the AI, rather than inside a vendor’s opaque memory. The AI keeps working on it, but the data lives where you decide, with GDPR compliance, data at rest in the EU, and self-hosting of the models where needed. Sovereignty is what lets you use AI even where the data is sensitive, not an obstacle.

How do you keep a company brain GDPR-compliant?

The context sits on structured files the company owns and governs, with data at rest in the EU and, on the most sensitive projects, models installed via self-hosting so the data doesn’t leave. It’s how we set up projects: code owned by the client, a DPA signed before starting, data in Europe. The technical starting point is the same company brain on files, just kept in a place you control.

Transparency

Sources

  1. [1]cowork-os, open-source repository. github.com
Transparency note

This page is written by Raffaele Zarrelli, founder of Yempik, with editing done with Claude. The company brain and its ownership model are Yempik editorial models. The statements on GDPR, EU data, and self-hosting describe how Yempik sets up projects; they are not legal advice. The kits cited are our open-source cowork-os and code-os (MIT license).

Sensitive data or a regulated sector? We keep your brain in your house.

We start from your process and your obligations. We put decisions, rules, and state on files you own, governed, with data at rest in the EU and self-hosting where needed. Fixed price and timeline, the code is yours, the data doesn’t leave.